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BITLOCKER DECRYPTION 
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TPM + BitLocker 


BitLocker 02 AES-128 3 3905:{G/(§: UEFI sa0303 XTS, Legacy Boot 
390309 CBC 033908{G)lo2051 Data 60203 Volume Master Key (VMK) & 
Encryption (qc9dcloocSi1 VMK , Recovery Key 03 ao0dmeggSbocdadqé 
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exs0msdlegqnconmes &éclos051 

> BitLocker Password 
> Encryption Enable (g\00503 saq]§Q2 Recovery Key 390309 Save 
009309 File, USB, Printed Paper, Note, Microsoft Account, 


> Trusted Platform Module (TPM) 
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BITLOCKER DECRYPTION 


¢€ the BitLocker Drive Encryption (H:) 


How do you want to back up your recovery key? 


i) Some settings are managed by your system administrator. 


If you forget your password or lose your smart card, you can use your recovery key to access your drive. 


— Save to your Microsoft account 
— Save to a USB flash drive 
=> Save toa file 


—> Print the recovery key 
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a BitLocker Recovery Key 0B673F42-8544-4B2E-8D3E-EB4882BA4D05 - Notepad 


File Edit Format View Help 
BitLocker Drive Encryption recovery key 


To verify that this is the correct recovery key, compare the start of the following identifier with the identifier value displayed on your PC. 
Identifier: 

@B673F42-8544-4B2E -8D3E-EB4882BA4005 
If the above identifier matches the one displayed by your PC, then use the following key to unlock your drive. 


Recovery Key: 


121264-206448 - 389906 -633061 -041734-614119-173129-716595 


If the above identifier doesn't match the one displayed by your PC, then this isn't the right key to unlock your drive. 
Try another recovery key, or refer to https: //go.microsoft.com/fwlink/?LinkID=260589 for additional assistance. 


BitLocker Recovery Key 
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BitLocker + TPM 
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Microsoft o> Raw Data 60203 Full Volume Encryption Key (FVEK) 8 
Encrypt codolos05 G29 ¢ Volume Master Key (VMK) 8 08 (8: Encrypt 
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BIOS/UEFI User 
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1. (S-CRTM) - 2. (BIOS /UEFI Code) - 3. (Boot Lader)- 4. (OS Kernel) 
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2 - BIOS oorésacnd006 Storage Partation, Master Boot Record (MBR), 
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Y sacclao 39006 SG soéa3 c08[G:c9dea02€E0lor051 

Vv OS Kernel BDSoMes Encrypted c95000:03 Storage Partation fo) 
Unlock 0058300203 TPM 0dg0936s000%05 Encrypted VMK o3 Request 
c98:096dlos05i1 TPM aoeg PCR Register 602030dea03(33 Chain Of 
Truth 0 @@§0dea020100051I Corrupt [gdago20¢ VMK Key or) 008 
ecoxlonsi 


BitLocker key 03 TPM 0dg9 286200920)390203 Storage a3 Pull ond(§: 


ga(gos Forensics Work Station 92 006(8: Decrypt codcheqeor20lons1 cos}, 
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Mode [gdegqé Shut Down ecodd RAM , Memory Dump [gjond03 
§p5:006z1 Shutdown [gdoago8%qE User Session e@[goéscS agoz03 
390309 Encryption key 6Q)203090%690l (TPM + BitLocker Mode) 


mageé ASOD VeraCrypt, TrueCrypt 030205 3909026 (gdclos05 


(Sleep Mode, Hibernation Mode [gdesqe TPM com PCR Register a 
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Cold Boot 
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Request ardzc9503a0q{§g2 Chain Of Truth arcd @§¢§03390305 VMK Key 
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Computer Shutdown [gd0208 RAM colao Data egqcogs 390309 RAM 


colo3. «Memory = Override cododsadscozcdeclesol(Gu Firewire § 
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Thunderbolt § 092006209602? Window 7, 8.1 99 BIOS update ec0dq 


62020206026q 6029020511 


Sleep Mode goaae[gaa6g0009 Giolesoz020511 Wake [gdco28: 
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aycep 30590 §103 Tools and Capabilities o3(0903(8: Sc 


Memory Overwrite Request Control (MOR) efozo¢ Ram cogo 2099 

c i . e190 ¢ g c Cc Q 
@O7YS|ese0C Overwrite codc8a5clos05 Attack $pd3c0e26020)  6QQ)/29| 
c80Sor0{gdolooa5i Link oogo o008 Window Version GO299 Support 


G02000589029602,8Edlos051 MOR V2 fo) Support [gd020603390205 


eoe 
9600380503 3209 Link 9? GOI8CO0 OD05i 


Bittoekar Kk Q.9c s_ ¢, lgseee E(gé g 

tLocKker Key 03@ 86038052006 e602) 6329090 3209 C2|QDO!IOIOOII 
2 C0 >. 

(User 3009 Password §]E 0980096 PUCOe $3609 @cop3coo:0lonsi) 


L ° ° 
> Recovery Key goegossa500e: 
> Recovery Key g090099 § 052006: (Power On With CMD, Power 
Shell) 


> Memory Acquisition (Gic0503sa52006: (Power On With Tools) 


L 
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> Memory Acquisition [GicoS03sa5:006: (Power OFF) 
> Dictionary Attack, Brute-Force Attack [GicoS03sa5:006: 
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. 2. e 
Recovery Key goeygoogp000e: 
BitLocker or) Password G0203309/$ 90 Recovery Key 8 63900369 
c s Oc 1 ° s . 
G03(Gooo:03 S§GICO2GD 286:00030lo205 39993(g]0> Commercial 
Computer Forensics Tools GOR9D BitLocker Key Finder 603 dlolor051 Qed 


:D Drive 8 BitLocker [GicoScosemé BitLocker Recovery Key o C: Drive Or 


Microsoft Account, USB , Printed Or Note odgo §8¢clor051 
¢€ the BitLocker Drive Encryption (H:) 


How do you want to back up your recovery key? 


©) Some settings are managed by your system administrator. 


If you forget your password or lose your smart card, you can use your recovery key to access your drive. 


— Save to your Microsoft account 
— Save to a USB flash drive 


= Save toa file 


—> Print the recovery key 


Recovery Key 9099095 §p5:c063 (Power On With CMD, Power 
Shell) 


399§ 092006309609} BitLocker Recovery Key or) CMD, Power Shell 

Cc | c c | | Cc s oc . je) 1s 

Mes g09020{g 60 OOS! AQSQI}oro Ololgg¢|eso sags BitLocker 4)e¢sor05 
8802008 odaaq{§go (Gjcod0r0(gdclor05i BitLocker Volume ao05 Mount 
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[\ DFM (0:) 
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— DVD | 
= 76.2 GB free of 127 GB = 


DVD RW Drive (E:) 


USB Drive (G:) USB Drive (H:) 


J) PASSWARE MI (K:) 


| 
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> 3.59 GB free of 3.62 GB 


USB Drive (J:) 


BitLocker Volume Already Mounted 


CMD or) Administrator BWSHSOC(G3 BitLocker Sco0%09 Device Letter a 


c099492{gd0lo2051 


manage-bde -protectors -get D: 


EX Administrator: Command Prompt 


BitLocker Recovery Key 


6§001902H§952096097 Power Shell o339094(q1(33 BitLocker Recovery Key 
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fe) c c c “ eRy 
039 09020[gddlo20511 G3a000 Code oO? psi Extension 5 29023103 Power 


Shell or) Administrator WEES Run or0[gdolor051 


# Export the BitLocker recovery keys for all drives and display them at the 
Command Prompt. 


$BitlockerVolumers = Get-BitLockerVolume 

$BitlockerVolumers | 

ForEach-Object { 

$MountPoint = $ .MountPoint 

$RecoveryKey = [string]($_.KeyProtector) .RecoveryPassword 

if (¢RecoveryKey.Length -gt 5) { 

Write-Output ("The drive $MountPoint has a BitLocker recovery key $RecoveryKey") 
} 

} 


BitLocker Recovery Key 


Recovery Key 4099099 § 9520063 (Power On With Tools) 


c c . c c 
389§ 900062026009 Forensics Tools 0r59(gd03 Elcomsoft Encrypted 


Disk Hunter 339005:(G)(8: Encryption [GicoScosz0r0§0§) ©06803009 


[gdclos05 Computer Power On , BitLocker Volume ¢o302 Mount 6§OD 


aq]§o00 (Qeade8qolos05i Elcomsoft Encrypted Disk Hunter or) USB 


~ Oo co ¢ tare) ¢ 
COMICS 09094) Run &CO!ODOOII 
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Encryption [g1c9Sc00%03 Drive Go2Q6s03390205 Recovery Ke 
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Ooco iv (eo) Oo °c Cc (eo) (eo) iy 1 

OPEC] —OBSQIJOI2AD_~—- COODQS 900360200903 609.499 [gdoloz051 
Cc C ony (eo) lomy Cc Cc 

sacol ag a0: coes320963 Recovery Key o3q0986dlos05 slgeur0d Memory 


eels is co c eg )| 1 
Acquisition S$ DCEO) CQVOESOIC SECO ODOOII 


| EEDH - 03.01.2023 12-06-44 - Notepad 


} File Edit Format View Help 
Size: 28.82 GB 
Encryption: - 


| PhysicalDrive2 (int.) 
Size: 200.00 MB 
Encryption: - 


Partition1 
File system: - 
Size: 15.98 MB 
Encryption: - 


Partition2 (H) 

File system: NTFS 
Size: 182.00 MB 
Encryption: BitLocker 


Found encrypted disk(s). 
Found signs that encrypted disk(s) mounted. 
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Memory Acquisition [G1ce0503s 052006: (Power On With Tools) 


8 § 052036009 Belkasoft Live RAM Capture or) 39052(q1(83 Memory 8 
Dump [(G{coSc0s2d]o0051 @§\c0003 Memory Dump 8 Encryption 
[g2503esq969 390$3(q]90 (gdclos05 Encryption Disk Or Volume o> Mount 
Ce KepterLit ee) Volume Master Key (VMK) o> RAM od@9 Seg closo5 Memory 
Dump aregoS ay§0> Forensics Artifacts cozeSqSédloou5i VMK 8 
Memory Dump 6908390209 Elcomsoft Disk Decryptor o33905:{G] 


co2:dlosu5i 


@ Belkasoft Live RAM Capturer 


Select output folder path: 
:\Belkasoft RamCapturer 


Loading device driver ...Physical Memory Page Size = 4096Total Physical Memory Size = 10726 MB 


Capture! 
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& Elcomsoft Forensic Disk Decryptor 


Languages Help 
Key mining options 


Input memory file 
@ Memory dump O Active Directory file 
CO Hibernation file 


D: \Belkasoft RamCapturer (1)\x64\20230107.mem 


Select the disk encryption type(s) to search the keys for: 
(J Pep Disk (.pad) 
CI pep woe 
(J Truecrypt/Veracrypt 


S&P Elcomsoft Forensic Disk Decryptor 
Languages Help 


Key extraction process 


Search result: 

Algorithm: BitLocker’ (ind. ‘To Go’) Volume Master Key 

Key data (hex): 

59e604ec 1c0cfd0 542fed94d 179ddc 1c ide 28cfdfd3507f0F250 160a3aa 3c 
d6s 


Algorithm: 'BitLocker’ (ind. ‘To Go") Volume Master Key 

Key data (hex): 

897f248979 2e4d30¢ 2d348a80937b41e0ad9a0c0a0 20dfa0334cc9c37322 
7ffc4 


Volume Master Key (a3o¢ VMK Key on) 286:0023(9:6009 Encryption 


coo 09 Disk Or Volume or) Decryption (Q[e95000 , Mount [G{coS020609 


GjeoS8Edloo0St 


THIRD EYE 


BITLOCKER DECRYPTION 


@ Elcomsoft Forensic Disk Decryptor 


Languages Help 
Select encrypted disk\partition and decryption method 


Disk Partition 
PhysicalDriveO (Int.) 
Partition1 
Partition2 
Partition3 
Partition4 (C:) 
Partitions 
Partition6 
Partition7 (D:) 
PhysicalDrive5 (Ext.) 
Partition1 (K:) 


Refresh 


Decryption method: 
©) Memory dump @ Saved keys © Password 
CO Hibernation file © Active Directory file O)Recovery key 


Saved keys: 


C:\Users\aungz\Desktop \New folder (2)\VWMK-BL.evk Browse... | 


Decryption With Volume Master Key 


g Elcomsoft Forensic Disk Decryptor 


Recovery key: 
105072-07 1082-4846 16-6 19245-36 16 14-372955-1589 17-272437 [copy] 


*The Key for data decryption was found! 


Disk Mounting With Recovery Key 
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Hibernation File o3c5 BitLocker Key goo03egq 992 39952(4)8Edloz05iI 
Hybrid Sleep 8800000 dlolsag 520828, Sleep (gdes(Q: Sleep Mode aes 
Wake [gdc0003s0g/§99 0S QI} 02292 92 Running codeg.or0603 
@Qja3seza9E CSc00203 Mode (gdclor05u hiberfil.sys saegg C: Drive , Root 
go Golos05i aQ§Qyjorx92 coads§ Running c9deg05 Process Gop Hybrid 
Sleep Mode @903620093000(gdolo2051 RAM 39093(G]9 sags poseaa06 
hiberfilsys gaegg 236z0002:0200l1 Pagefile.sys 0805 BitLocker key 
qreys}ogo 39992{q]8Edlos5iI hiberfilsys , Pagefile.ssys Gog02 Hidden 
[gSeso3a00203 Folder Options @9 [géqese0E —e[Goése58Evlor051 
hiberfil.sys , Pagefile.sys ¢, Setting cogare[goEscd8E03a00305 39083(G1994, 
Knowledge & sag 390022960] 9005 do0388Edlos05II 

Folder Options 


General View = Search 


Folder views 


——— You can apply this view (such as Details or Icons) to 
| Ge all folders of this type. 


Reset Folder 


Advanced settings: 

Display file icon on thumbnails 

Display file size information in folder tips 
Display the full path in the title bar 

_ | Hidden files and folders 


C ) Dont show hidden files, folders, or drives 
(@) Show hidden files, folders, and drives 
Hide empty drives 


[_] Hide extensions for known file types 

Hide folder merge conflicts 
| | Hide protected operating system files (Recommended 
|_| Launch folder windows in a separate process 

[_] Restore previous folder windows at logon 


Restore Defaults 


Change Folder Options To View System File 
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This PC >» Local Disk (C:) 


aw 


Name 


a Program Files 
fa Program Files (x86) 


_ ProgramData 


Recovery 


in| storage 
System Volume Information 


im} Users 


Windows 
SWINRE_BACKUP_PARTITION.MARKER 
© bootTel 
DumpStack 
DumpStack.log.tmp 


[=| DVRE_Intall 


hiberfil.sys 


pagefile.sys 
swapfile.sys 


Date modified 
1/6/2023 10:17 AM 
1/6/2023 8:25 AM 
1/7/2023 6:51 AM 
9/20/2022 8:21 AM 
9/12/2022 1:26 PM 
11/8/2022 10:54 PM 
9/12/2022 11:09 PM 
1/6/2023 8:21 AM 
9/12/2022 2:07 PM 
9/19/2022 6:33 PM 
1/5/2023 9:53 PM 
1/7/2023 6:51 AM 
9/10/2022 9:35 PM 
1/7/2023 &51 AM 
1/7/2023 6:51 AM 
1/7/2023 9:21 AM 


Type 

File folder 

File folder 

File folder 

File folder 

File folder 

File folder 

File folder 

File folder 
MARKER File 
FormatPlayer (dat) 
Text Document 
TMP File 

Text Document 
System file 
System file 


System file 


hiberfil.sys & Pagefile.sys 


OKB 
1KB 

8 KB 

8 KB 

2,612 KB 
9,329,072 KB| 
1,572,864 KB 
1,196,032 KB 


Hibernation Mode o> Window 10/11 Desktop Computer co ¢9 


Default Mode BESS Hybrid-Sleep Mode On coosdloouSi Performance 


Soq]3q]}39 Default BESS Hybrid-Sleep Mode On coozdloovSi Setting 


60203 User ane e[goesed8é SloooS 
0203 Use § s058CO nl 
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> Power Options 
Advanced settings 


then choose settings that reflect how you want your 


\ { j Select the power plan that you want to customize, and 
computer to manage power. 


| Balanced [Active] 


Desktop background settings 
Wireless Adapter Settings 
Sleep 

) Sleep after 

ep Allow hybrid sleep 


=) Hibernate after 
=) Allow wake timers 
USB settings 


m Dewser hitttane ane lid 


Restore plan defaults 


Apply 


~S Power Options 


Advanced settings 


then choose settings that reflect how you want your 


\ $ Select the power plan that you want to customize, and 
computer to manage power. 


Ultimate Performance 


Balanced [Active] 
High performance 
Power saver 
Ultimate Performance 
Desktop background settings 
@ Wireless Adapter Settings 
&) Sleep 
&) Sleep after 
= Allow hybrid sleep 
Setting: On 
Hibernate after 


7 Allasas saeabe timere 


Restore plan defaults 


Laptop 02996009 Hibernation Mode a saq}}2q]}:(GSC0los05i1 User 


L 
mod Setting coge[goezcS$EdloouSi Default are0r9 |a2005006 g208E: 
[gdclos05 Hibernation File a> Hybrid-Sleep Mode On coozo) Desktop, 


Laptop 602906 BitLocker Recovery qoosegqpgo 3005:{G|/&E0lor051 
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2 Power Options 


Advanced settings 


= Select the power plan that you want to customize, and 
y then choose settings that reflect how you want your 
computer to manage power. 


‘Balanced [Active] _ 


=) Sleep 
& Sleep after 
On battery: 15 Minutes 
Plugged in: 30 Minutes 
& Allow hybrid sleep 
On battery: Off 
Plugged in: Off 
) Hibernate after 
) Allow wake timers 
USB settings 


m_ Intel /B\ Granhice Cottinac 


hiberfil.sys, Pagefilessys Go203 09800 3a90363 a72090380q03390205 
‘SYS, & SY OBO? O29 i~° i° ~~ cy C8 


Forensics Imager 6o339992{g|q0lo205 3egqog2 Open Source (gd0> FTK 
Imager 033905s{G,c0020lo0051 FTK Imager 39093(G|9 25208 [ggeocd8 


@q200020) ©2g95G0lor05i1 Read Here 


Fl AccessData FTK Imager 4.7.1.2 
File View Mode Help 


& & & 


Evidence Tree 


Type Date Modified 
Regular File 7/22/2022 4:47:12 PM 
Regular File 8/2/2022 6:22:00 AM 
Dan ile 0 1.20 A 


Regular File 1/3/2023 7:35:04 AM 


5 ea . =| MFTECmd.dll Regular File 
Hq + Lu 
| Of in ze [|MFTECmd.exe Regular File 


L [& $UpCase ij MFTECmd.runtimeconfig,json Regular File 


10/20/2022 5:37:11 PM 
10/20/2022 5:37:17 PM 
10/20/2022 5:36:38 PM 


{f@ 360SANDBOX 
fq Config. Msi 
{© Del 
| {£3) Documents and Settings 
' ED inetpub 
9 libimobiledevice-windows-master 
-( MCT_NEW 


(3 pagefile.sys 
i) Program Files 
i] ProgramData 
i] PROGRA~3 
(3 swapfile.sys 
=) Untitled.png 


Regular File 
$130 INDX Entry 
$130 INDX Entry 
$130 INDX Entry 
Regular File 
Regular File 


1/3/2023 7:05:14 AM 


1/3/2023 7:05:14 AM 
10/25/2022 6:17:06 AM 
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Export hiberfil.sys With FTK Imager 


g Elcomsoft Forensic Disk Decryptor 


Languages Help 
Select encrypted disk\partition and decryption method 


Partition Filesystem Size 
Partition2 FAT32 100.00 MB 
Partition3 16.00 MB 
Partition4 (C:) 108.67 GB 
PartitionS 540.00 MB 
Partition6 816.00 MB 
Partition7 (D:) 127.87 GB 
PhysicalDrive 1 (Ext.) 28.82 GB 
Partition 1 (F:) 28.82 GB 
PhysicalDrive6é (Ext.) 3.64 GB 
Partition 1 (K:) 3.63 GB 


© Password 
O Active Directory file  ©)Recovery key 


Search In hiberfil.sys 


Volume Master Key (VMK) , Recovery Key 9(G:0396 BitLocker 
Disk/Volume fo) Decrypt c9d0r0 Mount codors603(G10958Eclor051 


Segqp¢o Elcomsoft 390920 (]6 Passwarekit o305a005:(G) 8Edlos05i 
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Decrypting a BitLocker Volume 


| don't have a memory image | have a memory image 


will be assigned if you don't have a memory image of the Instant decryption will be performed if you have a memory image of the 
acquired when the encrypted disk was mounted. target computer acquired when the encrypted disk was mounted. 


Encrypted BitLocker 


volume image fle C: ) Users } aungz ) Desktop ) hiber ) BL_image.001 


Disk partition Partition 0, size 3.63 GB: Bitlocker Volume 


Physical memory image C: ) Users } aungz ) Desktop ) hiber ) hiberfil.sys 
file 


Destination file C: ) Users ) aungz ) Desktop ) hiber ) BL-IMAGE-decrypted.dd 


Passware Kit 9005 _hiberfil.sys ga(gé Memory Dump [(GicoSc00203 File 
NON oc C X XN ig 1% 
Sodqpegscolorodi Elcomsoft § 296920029923909026(gd0lor05i1 Recovery 


Key, Volume Master Key (VMK) Be Eod Decrypt (G1c058Eclos05 


fh ¢€ Tools Help 


Decrypting a BitLocker Volume 


| don't have a memory image | have a memory image 


Brute-force attack will be assigned if you don't have a memory image of the Instant decryption will be performed if you have a memory image of the 
target computer acquired when the encrypted disk was mounted. target computer acquired when the encrypted disk was mounted. 


Encrypted BitLocker 


volume image fle C:) Users ) DFM } Desktop ) azm ) BL_IMAGE.001 


Disk partition Partition 0, size 3.63 GB: Bitlocker Volume 


Physical memory image C:) Users ) DFM ) Desktop ) azm ) MEM-DUMP.mem 
file 


Destination file D: ) Bit Locker Output } Out.DD 


THIRD EYE 


Decrypting a BitLocker Volume 


I don't have a memory image | have a memory image 
Brute-force attack will be assigned if you don't have a memory image of the 
target computer acquired when the encrypted disk was mounted. 


Encrypted BitLocker 


volume image file C: ) Users ) DFM ) Desktop ) azm ) BL_IMAGE.001 


Disk partition Partition 0, size 3.63 GB: Bitlocker Volume 


| don't have VMK/Recovery Key Recovery Key BitLocker VMK 


Recovery Key 208813-035651-391512-0397 10-083479-229493-065703-705045 


J createa decrypted partition image 


Destination file D: ) Bit Locker Output ) Out.DD 


Memory Acquisition (G}09603 0520063 (Power OFF) 


399§ 092006209 TPM + BitLocker os) @ Secure Boot (Pin) Boe Computer 
Password 289 €(Gicod08qo039052006:(gd0lor05 Computer [G&gec3aso> 
39930q|$90 BitLocker Disk/ Volume 4, VMK Key a2 RAM cdgogiegod 
390203(360lo0051 SEO OIa0EIDd™ESs, WARM Boot (G1coSclos051 CTRL + 
ALT + DELETE @{g}e9dqoli Hard Ware Restart Button Or Restart 
(G[e95qclos05 Qa ¢ USB ooe§ Memory Imager § Memory Dump (g1005 


dlovoSi 


THIRD EYE 


BITLOCKER DECRYPTION 


bootable enmory Image I v.12 (bu i Id } f 
M B88 (c) F 
106 .01 .2 


:37 huieic 
(06.01.: {i} Physical address 


{06.01 ese Chd Virtual address: Oxee99GG0000000000 

(06 e1.; — *S? Ci) Pages quantity: O0xA40 

(06.01.2023 22: ei Pages attributes: @x800000900000000 1 

(06 .61 292° — ] Skipping runtime region 

[66 .61 . 202 >. 

[06 .61.2 23 22: b> SS 

(06.01.2023 22: atus: Success 

reer oy eps disconnect the USB drive 
.81.2022 F =f 

[06.61.2023 22: reboot the computer . 

[66 .61. 

[06 .61.2 , oer 

(06.01. :S <Shut down> 

(66 .61. x 


[06 .01.2 3 rust 
(06.01.2023 22:55:37f4) Dome ed 


0x80000000F FO00000 


Oe ree te en ee eee ee eee: ee a oe 


Log file: pbhmi-06.61- Herne 48 .17-UTC-34.1. log 
Saving to: pa mage 04 


Progress: 16279 MB 773 190279 MB 
r 


Memory Dump with Memory Imager 


Qe 9 Cc c ec > c c ~ 

Memory Dump @(G:0806 90009I609(Goos!09 95200626025, 

Volume Master Key (VMK) , Recovery Key oq 028éclor051 399609(Goos:09 
cg c x : fe) {e) Oo °c ge 

§2020063:60289 BitLocker Key 0) gpegcgegsorz—a2:E0qC |Sgo0DE03 


§ 25006: (gd05 Password Attack [Gjcpd03 252008250 §dlor05iI 


L ° 


Dictionary Attack, Brute-Force Attack [G}09S039905:006: 


User 6§ Password cozco2s0003a60 @0209(93 saq}§[a708E0los05i 
Social Engineering 390$2(g}009[g8(goui User G0:000503 Password 02099 
L 5 LL 


B8oE Custom Dictionary (1058: Attack (Gico5q92 (gdclos05 BitLocker 


. iv ° (eo) . a) iy Cg 
Drive 00090020) Forensics Image (6: Attack (Gic9SqClos05 
LoL L IL L 


THIRD EYE 


Decrypting a BitLocker Volume 


| don't have a memory image | have a memory image 
Brute-force attack will be assigned if you don't have a memory image of the S decryption will be performed ye a memory image of the 
target computer acquired when the encrypted disk was mounted. e e mounted. 


Encrypted BitLocker 


vehi iene tle C: ) Users ) DFM ) Desktop ) azm ) BL_IMAGE.001 


Disk partition Partition 0, size 3.63 GB: Bitlocker Volume 


| don't have VMK/Recovery Key Recovery Key BitLocker VMK 


J create a decrypted partition image 


Destination file D: ) Bit Locker Output ) Out.DD 


BL IMAGE.001 


Folder C: ) Users ) DFM ) Desktop ) azm 

File Type Bitlocker Volume — Open Password, Numerical Password, Hardware acceleration possible, Instant Memory attack possible 
Complexity eee. Brute-force - Slow 

MDS: 2DD6CB5AF752D56257C851EC5030281E 


Password: File-Open 


Recovery Key 
(Numerical 


Password) ID: CE494B3F-B3C9-40D9-BCB0-D15E166B447E 


Unprotected file: 
MD5: 5C401AA02BD33061CA6E1D11BD67D528 


Recover File Password Passwords Found Resources Performance Attacks Log 


All-1 idle Hide Agent Hardware 


built-in, Microsoft Windows 10, 1 Loca 


Intel(R) Core(TM) i5-3380M CPU @ 2 CPU 


c cg c iN ¢ iN 
02080205008: Password Attack cod0DSgqDgI Resource 339020) $0 


0 QI} 00960369 Agent 6020005(93 29036, Resource B02 Attack 095000 
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BITLOCKER DECRYPTION 


AWS od: Cloud oo¢g Resource 09029603(G,c9dqolor051 VeraCrypt 
goede RAM cogo Key @0Y§Ss09€ Setting @9939:(GEc8qolor05i 


VeraCrypt - Preferences x< 
Defeult Mount Options 
[-] Mount volumes as read-only C] Mount volumes as removable media 


VeraCrypt Background Task 
1] Enabled (J Exit when there are no mounted volumes 


Actions to perform upon logon to Windows 
(J Start Veracrypt Background Task [- Mount all device-hosted VeraCrypt volumes 


Auto-Dismount 
Dismount all when: user logs of User session locked 
M1 Screen saver is launched Entering power saving mode 
LC Auto-dismount volume after no data has been read/written to it for 60° minutes 


1] Force auto-dismount even if volume contains open files or directories 


Windows 

CJ Open Explorer window for successfully mounted volume 

Use a different taskbar icon when there are mounted volumes 

M1 Preserve modification timestamp of file containers 

(J Make disconnected network drives available for mounting 

(J Don't show wait message dialog when performing operations 

(-] Use Secure Desktop for password entry 

(J use legacy maximum password length (64 characters) 

Password Cache 

([] Cache passwords in driver memory 1) wipe cached passwords on exit 
(J Temporarily cache password during "Mount Favorite Volumes” operations 
E41] wipe cached passwords on auto-dismount 

Co indude PIM when caching a password 


VeraCrypt - Performance and Driver Options x 
Hardware Acceleration 
Processor (CPU) in this computer supports hardware acceleration for AES: [Yes 


] Accelerate AES encryption/decryption by using the AES instructions of the processor (if available) 
More information 


Thread-Based Parallelization 


[_]Do not use the following number of logical processors for encryption/decryption: 


Note that the Hyper-Threading arya provides multiple logical cores per a single physical core. 
When Hyper Threading is enabled, the number selected above represents the number of logical 
processors/cores. 


More information 


Driver Configuration 
(_] Enable extended disk control codes support 
[_] Allow TRIM command for non-system SSD partition/drive 
[_] Allow Windows Disk Defragmenter to defragment non-system partition/drive 
[_] Use CPU hardware random generator as an additional source of entropy 
(J Activate encryption of keys and passwords stored in RAM 


THIRD EYE 


BITLOCKER DECRYPTION 


REF - ElcomSoft blog 


REF - https://support.passware.com/ 


Good Luck 


Aung Zaw Myo 


www.forensicsmyanmar.com 
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